California Signals Strong Regulation of Automated Decision-Making Technologies


On November 27, the California Privacy Protection Agency (CPPA) released draft regulations to govern automated decision-making technology. Businesses regulated under the California Consumer Privacy Act (CCPA) will be familiar with the obligation to disclose certain uses of automated decision-making technology or engaging in consumer profiling in the company’s privacy policy. However, the scope of consumers’ right to opt-out of being subject to automated decision-making technology, including profiling, has remained murky: rather than directly establishing governing parameters, the CCPA broadly mandates the CPPA to issue “regulations governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling.” 

On the Wednesday before Thanksgiving, the CPPA released these draft regulations to the public. The CPPA board is scheduled to discuss the regulations at its December 8, 2023 meeting, with formal rulemaking expected to follow in 2024. 

The regulations were expected to be significant, and they are. The breadth of the proposed regulations and their requirements is evident from the outset. Unsurprisingly, they define “automated decision-making technology” broadly, as:

Any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as a whole or part of a system to make or execute a decision or facilitate human decision-making. Automated decision-making technology includes profiling.

“Profiling,” in turn, means:

any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

If your business uses, or intends to use, technologies in any application that falls into the above categories, it is highly likely that your use of such technologies will be regulated, by the CCPA or otherwise, either now or in the future. It will be important to keep an eye on the various layers of obligations that various regulators are developing around the use of these technologies.

For businesses subject to the CCPA, the proposed regulations make clear that such businesses using automated decision-making technology must, among other things, give consumers (1) notice of a right to opt-out of being subject to the technology and (2) the right to access information about how the business uses the technology. Specifically, a “Pre-use Notice” must be made readily available “where consumers will encounter it” before the business processes the consumer’s personal information using the automated decision-making technology. Among other things, the notice must explain the purpose for which the technology is used, a description of the consumer’s right to opt-out, and additional information regarding the technology, including:

 

 

 

 

 

The draft proposal demonstrates uncertainty, however, about the final scope of the opt-out right. As an initial matter, the proposed opt-out would be applicable for decisions that produce legal or similarly significant effects concerning a consumer, profiling consumers in their capacities as an employee, independent contractor, job applicant, or student, or profiling consumers in publicly accessible places. 

Notably, the notion of “profiling” employees, independent contractors, job applicants, or students is specified to include use of the following:

 

 

 

 

 

 

 

 

Profiling consumers in public includes use of the following technologies:

 

 

 

 

 

 

 

 

 

 

While the foregoing scope seems to be somewhat settled, the draft also identifies the following potential extensions of the opt-out right, subject to further Board discussion:

 

 

 

 

Given the broad scope of this potential new opt-out right—and the potential that it will be broadened further—businesses that are implementing, or taking steps to implement, automated decision-making technology should be thinking about practical measures to design and implement pre-notice and opt-out measures into their processes. 

Notably, the current proposal carves out an exception to the proposed opt-out right where the automated decision-making technology “is necessary to achieve, and is used solely for” one of the following purposes:

 

 

 

Regardless of the final scope of the proposed automated decision-making opt-out right, a regulated business will likely be required to provide at least two opt-out methods. For businesses that interact with consumers online, one of these options must be providing an interactive form accessible via an opt-out link that is provided in the pre-use notice. 

The draft regulations continue to propose an additional “access right” authorizing consumers to obtain information regarding the business’s use of automated decision-making technology and certain additional rules relating to behavioral advertising targeting consumers under 16 years old.    

Given that the brief discussion above only scratches the surface of the potential impact of the CPPA’s new draft regulations to govern automated decision-making technologies, the CPPA’s future work on the topic is worth continued scrutiny. The scope of the CPPA’s final regulations on the topic remains uncertain. The far-reaching effects of agency’s final regulations, however, is guaranteed.


© 2024 Varnum LLP
National Law Review, Volumess XIII, Number 340